Amazon AWS

AWS Certified Security – Specialty

SCS-C03

The AWS Certified Security – Specialty (SCS-C03) exam tests your skills in securing AWS environments. It is designed for security professionals looking to validate their expertise in AWS security.

486 questions 0 views Free
Start Mock Test Timed · Full-length · Scored

Questions 31–40 of 486

Q31

Which service provides a dedicated virtual network in AWS?

  • A Amazon VPC
  • B AWS Lambda
  • C Amazon RDS
  • D Amazon EC2
Explanation Amazon VPC allows users to create isolated networks; the others provide different functionalities.
Q32

A company needs to rotate encryption keys every 90 days. Which AWS service supports this automatically?

  • A AWS Key Management Service
  • B AWS Secrets Manager
  • C Amazon CloudWatch
  • D AWS Config
Explanation AWS KMS supports automatic key rotation; the others do not manage encryption keys.
Q33

What happens when configuring a security group for an EC2 instance with an all-allow rule?

  • A Restricts outbound traffic only
  • B Blocks all incoming traffic
  • C Allows all traffic in and out
  • D Allows traffic only on specific ports
Explanation An all-allow rule in a security group permits all traffic directions; other options describe restricted settings.
Q34

Which AWS service provides a secure way to share sensitive information between users?

  • A AWS Secrets Manager
  • B AWS S3
  • C AWS IAM
  • D AWS CloudTrail
Explanation AWS Secrets Manager securely stores and manages sensitive information, while S3 is for storage, IAM is for permissions, and CloudTrail is for logging.
Q35

A company needs to enforce MFA for all users. Which IAM policy effect should be implemented?

  • A Allow
  • B Deny
  • C Audit
  • D Ignore
Explanation MFA requirements must be enforced using a Deny effect for actions without MFA, while Allow does not enforce it.
Q36

What happens when a security group is associated with an EC2 instance?

  • A Incoming traffic is blocked
  • B All outbound traffic is blocked
  • C Rules apply immediately
  • D Public IP is assigned automatically
Explanation Security group rules are enforced immediately upon association; the other options misrepresent AWS behavior.
Q37

Which service allows for detailed monitoring of AWS resources' compliance status?

  • A AWS Config
  • B AWS Shield
  • C AWS Inspector
  • D AWS CloudTrail
Explanation AWS Config provides monitoring and compliance for resources, while the others focus on different aspects of security and logging.
Q38

A company needs to securely share access to AWS resources with a partner organization. What should they implement?

  • A Security Groups
  • B IAM Roles with Cross-account access
  • C S3 Bucket Policies
  • D VPC Peering
Explanation IAM Roles with Cross-account access allow sharing securely, while the others do not provide secure cross-account capability.
Q39

What happens when an AWS S3 bucket is made public?

  • A All objects are deleted immediately
  • B Access logs are enabled automatically
  • C Anyone can read the objects
  • D Bucket cannot be accessed anymore
Explanation Making an S3 bucket public allows anyone to access its objects, while the other options misrepresent public bucket behavior.
Q40

Which service provides DDoS protection for applications?

  • A AWS Shield
  • B AWS WAF
  • C AWS Inspector
  • D AWS Secrets Manager
Explanation AWS Shield specifically protects against DDoS attacks, while the others serve different security roles.